Gamaredon fileless WinRAR intrusion chain in Ukrainian state and infrastructure networks

Attackers tied to **Gamaredon** are actively targeting **Ukrainian government, military, and critical-infrastructure** networks for espionage, long-term access, and document theft. The observed January 2026 intrusion chain starts with a booby-trapped xHTML file that delivers a malicious RAR archive and abuses **CVE-2025-8088** in **WinRAR** to place a hidden HTA file in the Windows Startup folder. The operation has shifted heavily toward **fileless VBScript** execution and storage in **NTFS Alternate Data Streams**, reducing visible disk artifacts and complicating host-level detection. Persistence and spread rely on scheduled tasks, registry changes, USB media, and network drives, while command-and-control details are pulled through dead-drop resolvers on **Telegram** and **Cloudflare**. Available material describes the malware as a worm and backdoor referred to as **GammaWorm**, used to preserve access inside Ukrainian networks and to move quietly across connected environments. Defensive guidance is to update **WinRAR** to version **7.13 or later**, watch for startup-folder HTA files, alternate data streams, suspicious VBScript activity, malicious shortcuts, and unusual lookups tied to the dead-drop infrastructure. The activity is confirmed as ongoing, but available evidence does not quantify the number of compromised organizations or documents taken, and cleanup may require wiping infected systems when fallback mechanisms cannot be removed reliably.